Supported architecture
Topology
Internet
|
HTTPS + authentication
|
Reverse proxy
|
127.0.0.1:8888
|
FastAPI + internal jobs
|
PostgreSQL in Docker
|
Separate AWS IAM rolesInstall and validate the host
Linux VPS with a dedicated non-root user
Python 3.11+, Git, Docker and Docker Compose
Public ports limited to 22, 80 and 443
A domain pointing to the VPS
An identity able to assume the AWS read-only role
Terminal
git clone https://github.com/wasteless-io/wasteless.git
cd wasteless
./install.sh --doctor
./install.sh --install-system-deps --no-schedule--doctor diagnoses without changing the system. Validate the installation before enabling scheduled collection.
Configure PostgreSQL, AWS and Steampipe
.env
DB_HOST=localhost
DB_PORT=5432
DB_NAME=wasteless
DB_USER=wasteless
DB_PASSWORD=USE_A_UNIQUE_SECRET
AWS_REGION=eu-west-1
AWS_ACCOUNT_ID=123456789012
AWS_ROLE_ARN=arn:aws:iam::123456789012:role/wasteless-readonly
# Optional
AWS_WRITE_ROLE_ARN=arn:aws:iam::123456789012:role/wasteless-remediationKeep WASTELESS_HOST=127.0.0.1 in ui/.env. Configure Steampipe with the read-only role for its four detectors.
Local validation
./wasteless.sh start
curl -f http://127.0.0.1:8888/
./wasteless.sh collect
./wasteless.sh statusAdd TLS and authentication
/etc/caddy/Caddyfile
wasteless.example.com {
basic_auth {
admin BCRYPT_HASH
}
reverse_proxy 127.0.0.1:8888
}- The TLS certificate is valid
- Unauthenticated access is rejected
- Ports 8888 and 5432 are unreachable from the Internet
.envis outside Git and protected by operating-system permissions
Schedule, back up and monitor
Operations
./wasteless.sh schedule
./wasteless.sh status
tail -100 ~/.wasteless.log
docker exec wasteless-postgres pg_isready -U wasteless
curl -f http://127.0.0.1:8888/The collection scheduler survives reboots. FastAPI needs systemd or another supervisor to restart automatically.
Backup
docker exec wasteless-postgres pg_dump -U wasteless wasteless | gzip > wasteless_backup.sql.gzProduction checklist
- UI bound to
127.0.0.1 - TLS and proxy authentication enabled
- Separate AWS read and write roles
- Dry-run retained during initial validation
- Steampipe connected with the read-only role
- Scheduled collection active
- FastAPI managed by a supervisor
- PostgreSQL backup scheduled and restore tested
- Errors and disk usage monitored